Disclosure of Invention
Existing applications/clients for instant messaging typically encrypt the random numbers by a soft algorithm, i.e., by some mathematical algorithm, which is not truly random. This is because cryptographically secure pseudo-random numbers are not compressible, whereas the true random numbers corresponding thereto are usually only generated by a physical system. Therefore, the existing technology for encrypting the information to be transmitted by using the pseudo random number generated by the soft algorithm has a certain security risk.
Aiming at the defects of the prior art, the invention provides an encryption system and method based on quantum random numbers.
The method at least comprises the following steps:
at least two clients send public keys corresponding to the clients to a server, wherein the clients can serve as a sender or a receiver of information to be transmitted;
The server receives the public key corresponding to the client sent by the client, and sends the public key of the client serving as a receiver of the information to be transmitted to the client serving as a sender of the information to be transmitted;
the quantum random number generator sends a quantum random key corresponding to the information to be transmitted to the server, and the server receives the quantum random key;
the server sends the quantum random key to a client which is used as a sender of the information to be transmitted;
The client serving as a sender of the information to be transmitted encrypts the information to be transmitted by using the quantum random key, encrypts the quantum random key by using a public key of the client serving as a receiver of the information to be transmitted, and sends data to be transmitted, which at least comprises the information to be transmitted and the quantum random key, to the client serving as the receiver of the information to be transmitted;
After the client serving as the receiving party of the information to be transmitted receives the information to be transmitted, decrypting the quantum random key to obtain the quantum random key, and decrypting the information to be transmitted by using the quantum random key to obtain the information to be transmitted.
However, the structure, the traffic rate, the access address, etc. of the data packets (such as the information to be transmitted) in the data transmission channel between the clients are usually fixed or regularly and circulated, and the data traffic of other application programs is not confused in the data transmission channel, so that the data packets are easy to be analyzed and/or positioned by some lawless persons, and there is a security risk of information leakage. Therefore, the client serving as a sender of the information to be transmitted transmits the data to be transmitted containing the information to be transmitted and the quantum random key to the client serving as a receiver of the information to be transmitted based on a confusion protocol. The confusion protocol mainly realizes the protection of the information to be transmitted by the client by carrying out confusion on the information to be transmitted in the data transmission channel.
According to a preferred embodiment, the step of sending the data to be transmitted including the information to be transmitted and the quantum random key to the client that is the receiving party of the information to be transmitted includes:
The client serving as a sender of the information to be transmitted at least masquerades the information to be transmitted in the data to be transmitted based on a confusion protocol and forms first masquerade data;
the server acquires the first disguised data, and analyzes the first disguised data according to the confusion protocol to acquire a real request in the information to be transmitted;
The server forwards the first disguised data to a client of the receiver which is the information to be transmitted and corresponds to the real request based on the real request;
the client side of the receiver serving as the information to be transmitted acquires the first disguised data forwarded by the server;
And the client side of the receiver serving as the information to be transmitted analyzes the first disguised data forwarded by the server based on the confusion protocol, and acquires the data to be transmitted from the first disguised data.
According to a preferred embodiment, the first masquerading data comprises at least information to be transmitted, a quantum random key, a masquerading request, and an identifier. The masquerading request corresponding to the real request in the information to be transmitted is generated by the client that is the sender of the information to be transmitted based on the obfuscation protocol. The identifier is used to identify a masquerading algorithm used by the client in generating the masquerading request. In the case where a plurality of the servers can form a server group, the client that is the sender of the information to be transmitted can send the first masquerading data to at least one server corresponding to the masquerading request in the server group based on the masquerading request.
According to a preferred embodiment, the method for camouflaging information to be transmitted comprises:
the client side serving as a sender of the information to be transmitted generates the disguised request through the disguising algorithm so as to hide the real request corresponding to the information to be transmitted;
and the client side serving as a sender of the information to be transmitted merges the information to be transmitted, the quantum random key, the disguise request and the identifier corresponding to the disguise algorithm into the first disguise data.
According to the configuration mode, the client can disguise the real request in the information to be transmitted by utilizing various algorithms, and can add the disguised request randomly generated by the disguise algorithm into the first disguise data, so that randomness of a server accessed by the client/the client serving as a receiver of the information to be transmitted is ensured, meanwhile, the real request corresponding to the information to be transmitted and the client serving as the receiver of the information to be transmitted, which corresponds to the real request, are prevented from being obtained through lawless analysis, meanwhile, the client and the server can disguise the real request in the information to be transmitted based on a confusion protocol, and the first disguise data is forwarded to the client serving as the receiver of the information to be transmitted, which corresponds to the real request, through the randomly generated disguise request, so that the real request of the information to be transmitted is hidden, and leakage of the information to be transmitted is prevented.
The access address of the data transmitted by the client is often fixed in the prior art. The information to be transmitted sent by the client in the invention is transmitted to the client which is the receiving side of the information to be transmitted through any one or more servers in the server group. Because the first disguised data corresponding to the information to be transmitted can be forwarded to the client of the receiver of the information to be transmitted corresponding to the real request through a random server, the data transmission channel for transmitting the information to be transmitted is in continuous change and is irregular and circulated, thereby preventing lawless persons from acquiring the information to be transmitted (such as the real request) and/or acquiring related information of the information to be transmitted from the fixed data transmission channel.
According to a preferred embodiment, the method for camouflaging information to be transmitted further comprises:
the client side serving as a sender of the information to be transmitted performs random filling and/or multi-frequency Bit flow camouflage transmission on the information to be transmitted in the data to be transmitted so as to confuse the information to be transmitted and prevent the information from being deciphered by lawbreakers.
In the prior art, data traffic of other application programs and the like cannot be mixed into the information to be transmitted in the transmission of the information to be transmitted, and the structure, the traffic rate and the like of the information to be transmitted in the transmission process are regular and circulated, so that the information to be transmitted is easy to be analyzed by lawless persons to obtain the relevant rules of the information to be transmitted, and the information to be transmitted is further leaked. The invention adds multi-node flow confusion, namely, randomly filling the information to be transmitted in the data to be transmitted and/or carrying out multi-frequency Bit flow camouflage transmission, so that the characteristics of the information to be transmitted, such as the structure, the flow rate and the like, in the transmission process are irregular and can be circulated, thereby realizing the confusion of the information to be transmitted and preventing the information to be transmitted from being deciphered by lawbreakers.
Through the configuration mode, the client side of the invention randomly mixes the real information to be transmitted into the data packets of other application programs, and forwards the first camouflage data to one or more servers in batches at random (for example, the sending time of the first camouflage data is also randomly set through a random algorithm), so that the characteristics of the data packets of the transmitted first camouflage data, such as the structure, the flow rate and the like, are irregularly circulated, and the purpose of confusing a data eavesdropper is achieved. When the client and the server transmit information to be transmitted or first camouflage data, the client camouflage the encrypted information to be transmitted or the data packet of the first camouflage data into the data packet which has the same/similar structure as other application programs and/or the encrypted data packet of the information to be transmitted or the data packet of the first camouflage data is hidden in the data packet of other application programs and then transmitted to the server in batches, so that the aim of confusing a data eavesdropper is fulfilled.
According to a preferred embodiment, the quantum random number generator is capable of sending the quantum random key to the server when the information to be transmitted is generated, the server being capable of numbering the quantum random key and receiving the quantum random key in dependence of the numbering.
According to a preferred embodiment, the client as the sender of the information to be transmitted can send a request to the server when generating the information to be transmitted, where the request is used to request the server for a quantum random key corresponding to the information to be transmitted. The server can acquire the request in real time and send the quantum random key corresponding to the information to be transmitted to the client side which sends the request.
According to a preferred embodiment, the client of the receiver of the information to be transmitted is able to send second disguised data to the server, in case the client of the receiver of the information to be transmitted has acquired the information to be transmitted. The second camouflage data at least comprises response data corresponding to the information to be transmitted in the first camouflage data.
The invention also provides an encryption system based on the quantum random number. The encryption system at least comprises at least two clients, a server and a quantum random number generator.
At least two clients are configured to be able to act as a sender or receiver of information to be transmitted.
The server is configured to be able to receive the public key corresponding to the client transmitted by the client and transmit the public key of the client as a receiver of the information to be transmitted to the client as a sender of the information to be transmitted.
The quantum random number generator is configured to be able to send a quantum random key corresponding to the information to be transmitted to the server.
And under the condition that the server sends the quantum random key to the client side serving as the sender of the information to be transmitted, the client side serving as the sender of the information to be transmitted encrypts the information to be transmitted by using the quantum random key, and sends data to be transmitted, which at least comprises the information to be transmitted and the quantum random key, to the client side serving as the receiver of the information to be transmitted, wherein the client side serving as the receiver of the information to be transmitted acquires the information to be transmitted through the quantum random key so as to realize secure communication between the client sides.
The invention adopts the quantum random generator to generate the quantum random number/quantum random key, namely the generated quantum random number/quantum random key is a true random number, and can be fetched along with use. The security of quantum cryptography (e.g., quantum random number/quantum random key) is ensured by the physical properties of inaccurate measurement, inseparability, irreproducibility, etc. of the quantum state. While measuring the quantum state according to the "measurement collapse theory" will change the original quantum state, i.e. the data eavesdropping behavior of the data eavesdropper will introduce additional bit errors into the original quantum state. For example, when no data eavesdropper exists in the data transmission channel, the bit error rate of the quantum password is zero, and when the data eavesdropper exists in the data transmission channel, the bit error rate of the quantum password is twenty-five percent. When the bit error rate of the quantum cipher exceeds a threshold value, the existence of a data eavesdropper in the data transmission channel is indicated. The early warning module in data connection with the quantum random generator can send alarm information to the server, and the server can discard the distributed quantum random key based on the alarm information. Through the configuration mode, namely, the information content (such as information to be transmitted) of the instant messaging is encrypted by using the true quantum random number (such as a quantum random key) as an encryption key, so that the indecipherability and the uniqueness of the information content of the instant messaging are ensured, and the safe communication between the clients is further realized. In addition, the invention can also reduce the operation time consumed by the client to generate the pseudo random number by using the soft algorithm, thereby improving the efficiency, can also play a role in the confidentiality of information by combining the modern cryptographic algorithm (such as SM4, AES and the like), and can play a role in the authenticity, integrity and other requirements of information beyond confidentiality by combining authentication and other cryptographic algorithms.
Detailed Description
The following detailed description refers to the accompanying drawings.
The invention also provides an encryption method based on the quantum random number. The encryption method at least comprises the following steps:
At least two clients 1 send public keys corresponding to the clients 1 to the server 2, wherein the clients 1 can serve as a sender or a receiver of information to be transmitted;
The server 2 receives the public key corresponding to the client 1 transmitted by the client 1, and the server 2 transmits the public key of the client 1 as a receiver of the information to be transmitted to the client 1 as a sender of the information to be transmitted.
The quantum random number generator 3 sends a quantum random key corresponding to the information to be transmitted to the server 2. The server 2 receives the quantum random key.
The server 2 transmits the quantum random key to the client 1 as a sender of information to be transmitted.
Preferably, the encryption method further includes:
The client 1 serving as a sender of the information to be transmitted encrypts the information to be transmitted by using a quantum random key, encrypts the quantum random key by using a public key of the client 1 serving as a receiver of the information to be transmitted, and then sends data to be transmitted, which at least comprises the information to be transmitted and the quantum random key, to the client 1 serving as the receiver of the information to be transmitted;
After receiving the information to be transmitted, the client 1 as the receiver of the information to be transmitted decrypts the quantum random key to obtain the quantum random key, and the client 1 as the receiver of the information to be transmitted decrypts the information to be transmitted by using the quantum random key to obtain the information to be transmitted.
The information to be transmitted is information transmitted between the client 1 as a sender of the information to be transmitted and the client 1 as a receiver of the information to be transmitted.
The quantum random number generator 3 is capable of automatically generating a quantum random key.
Preferably, the quantum random key corresponding to the information to be transmitted, which is sent by the quantum random number generator 3 to the server 2, corresponds to the information to be transmitted one by one. Preferably, each piece of information to be transmitted corresponds to a new quantum random key.
Preferably, the server 2 transmits the quantum random key to the client 1, which is the sender of the information to be transmitted, through a bi-directional HTTPS transmission channel.
Preferably, the client 1, which is the sender of the information to be transmitted, encrypts the information to be transmitted using a quantum random key and using a symmetric encryption mechanism.
Preferably, the client 1 as the sender of the information to be transmitted transmits the data to be transmitted containing the information to be transmitted to the client 1 as the receiver of the information to be transmitted based on the confusion protocol.
The data to be transmitted comprises at least the information to be transmitted and the quantum random key.
Preferably, a private key used by the client 1 as a recipient of the information to be transmitted is stored in the client 1.
Preferably, after receiving the information to be transmitted, the client 1 as the receiving party of the information to be transmitted decrypts the public key-encrypted quantum random key in the data to be transmitted by using the private key corresponding to the public key to obtain the quantum random key.
Preferably, the client 1, which is the receiving side of the information to be transmitted, decrypts the information to be transmitted encrypted by the quantum random key using the quantum random key to acquire the information to be transmitted.
Preferably, the step of transmitting the data to be transmitted including the information to be transmitted to the client 1 as the receiving side of the information to be transmitted includes:
The client 1 serving as a sender of the information to be transmitted at least masquerades the information to be transmitted in the data to be transmitted based on the confusion protocol and forms first masquerade data;
the server 2 acquires first disguised data, and analyzes the first disguised data according to a confusion protocol to acquire a real request in the information to be transmitted;
The server 2 forwards the first masquerading data to the client 1 as a receiver of information to be transmitted corresponding to the real request based on the real request;
a client 1 as a receiver of information to be transmitted acquires first disguised data forwarded by a server 2;
The client 1 as the receiving side of the information to be transmitted parses the first masquerading data forwarded by the server 2 based on the confusion protocol, and acquires the data to be transmitted from the first masquerading data.
Particularly preferably, the number of servers 2 is two or more.
The real request is the address of the client 1 as the recipient of the information to be transmitted.
The confusion protocol at least comprises a method for disguising information to be transmitted and/or switching a data transmission channel for transmitting the information to be transmitted between the client 1, the server 2 and the client 1 which is a receiver of the information to be transmitted, so that the information to be transmitted in the data transmission channel is confused by the method to realize the protection of the information to be transmitted.
Since the security of the data transmission channel between the client 1 and the client 1 as the receiving party of the information to be transmitted is not high enough, the present invention proposes a rule for protecting the information to be transmitted in the data transmission channel, i.e. a confusion protocol.
The purpose of switching the data transmission channel by the confusion protocol is to forward the information to be transmitted to the client 1 as the receiving party of the information to be transmitted through the server 2 corresponding to the randomly generated camouflage request by using the camouflage request, that is, to transmit and confuse the information to be transmitted through multiple nodes (such as a server 2 group). The server 2 group includes a plurality of servers 2, and the information to be transmitted can be forwarded by any one server 2 in the server 2 group to the client 1 as the receiving party of the information to be transmitted, so that the data transmission channel formed in the process that the information to be transmitted is transmitted from the client 1 to the client 1 as the receiving party of the information to be transmitted is changed randomly, and finally, the protection of the information to be transmitted is realized by the random data transmission channel of the information to be transmitted.
The obfuscation protocol can also include an encryption method that secondarily encrypts the information to be transmitted/the first camouflage data. The encryption method may be an asymmetric encryption and/or a symmetric encryption algorithm.
The data in the data transmission channel comprises at least the information to be transmitted.
The data within the data transmission channel may also include first camouflage data.
Preferably, the first masquerading data includes at least information to be transmitted, a quantum random key, a masquerading request corresponding to a real request in the information to be transmitted, the masquerading request being generated by the client 1 as a sender of the information to be transmitted based on a confusion protocol, and an identifier for identifying a masquerading algorithm used by the client 1 as a sender of the information to be transmitted in generating the masquerading request. In the case where a plurality of servers 2 can form a server 2 group, the client 1, which is the sender of information to be transmitted, can send first masquerading data to at least one server 2 corresponding to the masquerading request in the server 2 group based on the masquerading request.
The information to be transmitted comprises at least the real request. The real request is the address of the client 1 as the receiver of the information to be transmitted to which the information to be transmitted is to be transmitted.
The kind of information to be transmitted may be determined according to the needs of the user.
The masquerading request is an address corresponding to any one of the servers 2 that is randomly generated by the client 1 masquerading the real request in the information to be transmitted.
The types of the information to be transmitted can be added or subtracted according to the actual application scene.
For example, the information to be transmitted may include the information to be transmitted and the real request, and the first masquerading data includes the information to be transmitted, the real request and the masquerading request.
The client 1, the server 2 and the client 1 as the receiving party of the information to be transmitted can all transmit the information to be transmitted based on HTTPS protocol and confusion protocol.
Preferably, the method for camouflaging the information to be transmitted comprises the following steps:
The client 1 as a sender of the information to be transmitted generates a masquerading request through a masquerading algorithm so as to hide a real request corresponding to the information to be transmitted;
The client 1, which is the sender of the information to be transmitted, merges the information to be transmitted, the masquerading request, and the identifier corresponding to the masquerading algorithm into first masquerading data.
Preferably, the method for camouflage of the information to be transmitted further comprises:
The client 1 serving as a sender of the information to be transmitted performs random filling and/or multi-frequency Bit flow camouflage transmission on the information to be transmitted in the data to be transmitted so as to confuse the information to be transmitted and prevent the information from being deciphered by lawbreakers.
Preferably, both the server 2 and the client 1, which is the recipient of the information to be transmitted, are able to masquerade based on the obfuscation protocol for the real request in the information to be transmitted.
In order to ensure the efficiency of data transmission, the HTTPS protocol uses symmetric encryption for data transmission after successful certificate verification, i.e. the HTTPS protocol uses asymmetric encryption only in the certificate verification stage. If the lawless persons intercept the information to be transmitted in the data transmission, the key adopted by the symmetric encryption is a pseudo-random number, and the current computer technology is in a rapid development stage, so that the information to be transmitted is very likely to be deciphered by the lawless persons within a certain time after the information to be transmitted is intercepted.
Therefore, the invention performs asymmetric encryption again on the basis of the symmetric encryption of the information to be transmitted. The operation not only does not significantly affect the efficiency of transmitting the information to be transmitted, but also greatly improves the safety of data transmission, namely, the information to be transmitted cannot be cracked even if lawless persons intercept the information to be transmitted which is subjected to symmetric encryption and asymmetric encryption.
Before the client 1 sends the information to be transmitted to the server 2, the client 1 encrypts the information to be transmitted through an asymmetric encryption algorithm and a symmetric encryption algorithm, and then the client 1 rewrites the real request in the information to be transmitted to disguise/hide the real request and generate a disguised request.
The masquerading request is randomly generated by the client 1 using a masquerading algorithm.
The masquerading algorithm has a specific identifier in the obfuscation protocol.
Particularly preferably, the first camouflage data can also comprise an identifier of a camouflage algorithm used by the client 1 to camouflage the current information to be transmitted.
The identifier may take the form of one or more of a number, letter, etc.
For example, if the identifier is "a", it means that the camouflage algorithm used by the client 1 to camouflage the current information to be transmitted is a first camouflage algorithm, and if the identifier is "B", the camouflage algorithm used by the client 1 to camouflage the current information to be transmitted is a second camouflage algorithm, and so on.
The camouflage algorithm can be flexibly selected according to the requirements of actual application scenes. The masquerading algorithm may be a message digest algorithm, a secure hash algorithm, a message authentication code algorithm, a cut algorithm, a parallel splice algorithm, etc. When the disguising request of the client 1 of the sender of the information to be transmitted is disguised by using a disguising algorithm and then sent to the server 2 or one server in the server group, the server 2 finds the corresponding disguising algorithm used by the client 1 of the sender of the information to be transmitted according to the disguising algorithm identifier contained in the first disguising data, and then analyzes the real address of the client 1 of the receiver of the information to be transmitted based on the disguising algorithm. And then, the server 2 sends the first disguised data to the corresponding client side 1 of the information receiver to be transmitted according to the real address of the client side 1 of the information receiver to be transmitted obtained through analysis.
For example, when the number of clients 1 as the recipients of the information to be transmitted is only one, the masquerading request indicates which server 2 of the server 2 group the first masquerading data is forwarded to the clients 1 as the recipients of the information to be transmitted, and when the number of clients 1 as the recipients of the information to be transmitted is more than one, the masquerading request indicates which server 2 the first masquerading data is forwarded to which client 1 as the recipients of the information to be transmitted.
The disguising of the client 1 for the real request in the information to be transmitted is achieved by overwriting the network request interface.
The client 1 transmits the first masquerading data to the servers 2 corresponding to the masquerading request in the server 2 group based on the masquerading request. The server 2 corresponding to the masquerading request can parse the first masquerading data based on the confusion protocol to obtain a real request corresponding to the information to be transmitted.
For example, the address (i.e., the real request) of the client 1 as the receiving side of the information to be transmitted corresponding to a certain information to be transmitted is www.cloudfront.com. And masquerading requests may employ any one or more of masquerading addresses of a.com, b.net, and c.org.
After the server 2 corresponding to the disguised request in the server 2 group receives the first disguised data sent by the client 1, the server 2 can obtain an identifier in the first disguised data based on a confusion protocol, analyze a disguised algorithm used by the client 1 corresponding to the current first disguised data through the identifier, and analyze a real request corresponding to information to be transmitted from the first disguised data (such as the disguised request in the first disguised data) based on the disguised algorithm. Then, the one or more servers 2 forward the first disguised data to the client 1 as the receiver of the information to be transmitted, which corresponds to the real request, in batches based on the real request corresponding to the information to be transmitted.
Preferably, the server 2 and the client 1 as the receiving side of the information to be transmitted may employ the same model of the server 2.
Preferably, the server 2 is able to switch over with the work responsibilities assumed by the client 1 as the recipient of the information to be transmitted. For example, the client 1 as the receiver of the information to be transmitted may be one server 2 in the group of servers 2, and one server 2 in the group of servers 2 may be the client 1 as the receiver of the information to be transmitted.
Through the configuration mode, the client 1 can disguise the real request in the information to be transmitted by utilizing various algorithms, and can add the disguised request randomly generated by the disguise algorithm into the first disguise data, so that the randomness of the server 2 accessed by the client 1/the client 1 serving as the receiver of the information to be transmitted is ensured, meanwhile, the real request corresponding to the information to be transmitted and the client 1 serving as the receiver of the information to be transmitted, which corresponds to the real request, are prevented from being obtained by lawless analysis, meanwhile, the client 1 and the server 2 can disguise the real request in the information to be transmitted based on a confusion protocol, and the first disguise data is forwarded to the client 1 serving as the receiver of the information to be transmitted, which corresponds to the real request, through the server 2 corresponding to the disguise request, so that the real request of the information to be transmitted is hidden, and leakage of the information to be transmitted is prevented.
The access address of the data transmitted by the client 1 in the prior art is often fixed. The information to be transmitted sent by the client 1 in the present invention is transmitted to the client 1 as the receiving side of the information to be transmitted through any one or more servers 2 in the server 2 group. Because the first disguised data corresponding to the information to be transmitted can be forwarded to the client 1 as the receiver of the information to be transmitted corresponding to the real request through the random server 2, the data transmission channel for transmitting the information to be transmitted is in continuous change and is irregular and circulated, thereby preventing lawless persons from acquiring the information to be transmitted (such as the real request) and/or acquiring the related information of the information to be transmitted from the fixed data transmission channel.
In the case of only one server 2, although the transmission path of the information to be transmitted cannot be randomly transformed, the flow disguising and random packing method can be applied to the information to be transmitted to protect the information to be transmitted.
Preferably, the method for camouflage of the information to be transmitted further comprises:
the client 1 performs random filling and/or multi-frequency Bit flow camouflage transmission on information to be transmitted in the data to be transmitted so as to confuse the information to be transmitted and prevent the information from being deciphered by lawbreakers.
The client 1 can disguise the information to be transmitted as a data packet (e.g., a data packet of a video music application program) having a different structure from the information to be transmitted by using a corresponding script, and perform interaction with the server 2 at an indefinite time to form the illusion of multi-frequency Bit traffic disguise transmission. Meanwhile, the client 1 can randomly mix data of other application programs into information to be transmitted, namely after the information to be transmitted is divided into a plurality of sub-data packets, the sub-data packets are hidden in the data packets of other application programs in batches, and the data packets of other application programs are transmitted to the server 2 or the client 1 serving as a receiving party of the information to be transmitted in sections, so that the information to be transmitted is confused and prevented from being decoded by lawbreakers.
In the prior art, data traffic of other application programs and the like cannot be mixed into the information to be transmitted in the transmission of the information to be transmitted, and the structure, the traffic rate and the like of the information to be transmitted in the transmission process are regular and circulated, so that the information to be transmitted is easy to be analyzed by lawless persons to obtain the relevant rules of the information to be transmitted, and the information to be transmitted is further leaked. The invention adds multi-node flow confusion, namely, randomly filling the information to be transmitted in the data to be transmitted and/or carrying out multi-frequency Bit flow camouflage transmission, so that the characteristics of the information to be transmitted, such as the structure, the flow rate and the like, in the transmission process are irregular and can be circulated, thereby realizing the confusion of the information to be transmitted and preventing the information to be transmitted from being deciphered by lawless persons.
The step of randomly filling the information to be transmitted in the data to be transmitted by the client 1 comprises the following steps:
judging whether the information to be transmitted reaches a triggering condition for triggering random filling;
randomly dividing information to be transmitted into a plurality of sub-data packets;
Generating a filling data packet to be filled;
randomly doping the filling data packet among a plurality of sub data packets;
sub-packets containing stuffing packets are sent to the server 2 or the client 1 as a recipient of the information to be transmitted in batches.
The client 1 judges whether the information to be transmitted reaches a trigger condition for triggering random filling. The trigger condition may be set manually according to the actual application scenario. For example, the client 1 may be able to add a specific trigger identifier to the information to be transmitted. If the client 1 identifies the information to be transmitted and finds that the first camouflage data has the trigger identifier, the information to be transmitted is identified by the client 1 as the information to be transmitted reaching the trigger condition triggering random filling, and if the client 1 identifies the information to be transmitted and finds that the first camouflage data does not have the trigger identifier, the information to be transmitted is identified by the client 1 as the information to be transmitted not reaching the trigger condition triggering random filling.
The triggering condition may be randomly generated by a corresponding algorithm, that is, the operation of the client 1 for random packet filling transmission of the information to be transmitted is random.
The information to be transmitted is randomly divided into a plurality of sub-data packets, so that the characteristics of the size, the number and the like of the sub-data packets are irregular and circulated.
If the client 1 analyzes the information to be transmitted and judges that the current information to be transmitted reaches the triggering condition preset by triggering, the client 1 generates a filling data packet for filling the information to be transmitted/the first camouflage data according to a corresponding algorithm. The stuffing packets may be packets having the same/similar structure as other applications (e.g., video, music, etc.) applications. The structure is the same as or similar to the structure, flow rate, frequency and other features of the data packet.
The number of padding packets that are padded between two sub-packets is random.
The time at which the client 1 transmits the sub-packet containing the padding packet to the server 2 or the client 1 as the recipient of the information to be transmitted may also be random.
Preferably, the server 2 or the client 1, which is a receiving side of the information to be transmitted, is capable of receiving a plurality of sub-packets in a segmented reception manner to reassemble the plurality of sub-packets into the first camouflage data.
By the configuration mode, the real information to be transmitted is randomly mixed into the data packets of other application programs, and the first camouflage data is forwarded to one or more servers 2 in batches at random (for example, the sending time of the first camouflage data is also randomly set by a random algorithm), so that the characteristics of the data packets of the transmitted first camouflage data, such as the structure, the flow rate and the like, can be irregularly circulated, and the purpose of confusing a data eavesdropper is achieved.
The step of the client 1 for carrying out multi-frequency Bit flow camouflage transmission on information to be transmitted in data to be transmitted comprises the following steps:
judging whether the information to be transmitted reaches a triggering condition for triggering multi-frequency Bit flow camouflage transmission or not;
analyzing the format of a data packet of the target application program;
Disguising information to be transmitted as a data packet of the target application program based on the format of the data packet of the target application program;
the disguised information to be transmitted is transmitted to the server 2 or the client 1 as a receiving side of the information to be transmitted.
The client 1 judges whether the current information to be transmitted reaches a triggering condition for triggering Bit flow camouflage transmission. The trigger condition may be set manually according to the actual application scenario. For example, the client 1 may be able to add a specific trigger identifier to the information to be transmitted. If the client 1 identifies the information to be transmitted and finds that the first camouflage data has the trigger identifier, the information to be transmitted is identified by the client 1 as the information to be transmitted which reaches the trigger condition of camouflage transmission by using the Bit flow, and if the client 1 identifies the information to be transmitted and finds that the first camouflage data does not have the trigger identifier, the information to be transmitted is identified by the client 1 as the information to be transmitted which does not reach the trigger condition of camouflage transmission by using the Bit flow.
The triggering condition can be randomly generated by a corresponding algorithm, namely, the operation of the client 1 for carrying out Bit flow camouflage transmission on the information to be transmitted is random.
The client 1 and the server 2 can disguise the traffic of the data packet to be transmitted by adopting methods such as traffic filling, traffic normalization, traffic disguising and the like.
The client 1 and the server 2 can disguise the flow of the data packet to be transmitted by adopting methods such as rerouting, adding garbage packets, packet loss, inclusion union, packet fragmentation, packet disorder, stream mixing, stream segmentation, stream merging and the like.
Particularly preferably, the client 1 and the server 2 of the present invention disguise the information to be transmitted by disguising the encrypted information to be transmitted as a packet in the same or similar format/structure as that of other applications (such as video, music, etc. applications).
For example, the client 1 needs to disguise the information to be transmitted this time into the format of the data packet of the target application program (such as a certain music application program), so that the client 1 may analyze the format/structure of the data packet of the target application program first, and disguise the information to be transmitted into the format/structure of the data packet of the music application program, so that the lawbreaker cannot identify the disguised information to be transmitted, and finally, the purpose of confusing the data eavesdropper is achieved.
Through the above configuration manner, when the client 1 and the server 2 transmit the information to be transmitted or the first camouflage data, the encrypted data packet of the information to be transmitted or the first camouflage data is camouflaged into the data packet with the same/similar structure as other application programs and/or the encrypted data packet of the information to be transmitted or the first camouflage data is hidden in the data packet of other application programs, and then the data packet is forwarded to the server 2 in batches, so as to achieve the purpose of confusing the data eavesdropper.
Preferably, the quantum random number generator 3 is capable of transmitting the quantum random key to the server 2 when the information to be transmitted is generated, and the server 2 is capable of numbering the quantum random key and receiving the quantum random key according to the number.
Preferably, the above numbers may be determined in a time-sequential order in which the quantum random key is received. For example, the first quantum random key received by the day server 2 is number one, the second quantum random key is number two, and so on.
Preferably, the client 1, which is the sender of the information to be transmitted, is capable of sending a solicitation request to the server 2 when generating the information to be transmitted, the solicitation request being for soliciting the server 2 for the quantum random key corresponding to the information to be transmitted. The server 2 can acquire the solicitation request in real time and send the quantum random key corresponding to the information to be transmitted to the client 1 that sent the solicitation request.
Preferably, the solicitation request may comprise an identification code of the client 1 that issued the solicitation request.
Preferably, the server 2 is able to send the quantum random key corresponding to the information to be transmitted to the client 1 corresponding to the identification code based on the identification code.
Preferably, in a case where the client 1 as the receiver of the information to be transmitted has acquired the information to be transmitted, the client 1 as the receiver of the information to be transmitted is able to transmit the second masquerading data to the server 2. The second camouflage data at least comprises response data corresponding to the information to be transmitted in the first camouflage data.
The type of the response data may be set according to the needs of the user.
The server 2 can acquire the second masquerading data and masquerade the second masquerading data as third masquerading data based on the obfuscation protocol.
Preferably, the information to be transmitted is used to request the second masquerading data from the client 1 that is the receiving side of the information to be transmitted.
The third camouflage data at least comprises response data corresponding to the information to be transmitted.
In response to the information to be transmitted, the client 1, which is the recipient of the information to be transmitted, can transmit response data corresponding to the first masquerading data to the server 2.
The client 1 as the receiving side of the information to be transmitted can also masquerade the response data based on the confusion protocol to generate second masquerading data.
The server 2 can acquire the second masquerading data and masquerade the second masquerading data as third masquerading data based on the obfuscation protocol.
The third masquerading data can be transmitted by the server 2 to the client 1.
Preferably, the second masquerading data may further include, but is not limited to, response data, a CA digital certificate signing public key, identity information, pseudo-random numbers, quantum random keys, identifiers of masquerading algorithms used by the client 1 that is the receiving party of the information to be transmitted at this time, and the like.
Preferably, the information to be transmitted is used to request the second masquerading data from the client 1 that is the receiving side of the information to be transmitted.
Preferably, the client 1 as the receiving side of the information to be transmitted is also able to encrypt the second masquerading data in an asymmetrically encrypted and symmetrically encrypted manner.
The third camouflage data at least comprises response data corresponding to the information to be transmitted in the first camouflage data.
Preferably, the third masquerading data may also include, but is not limited to, CA digital certificate signing public keys, identity information, pseudo-random numbers, quantum random keys, identifiers of masquerading algorithms used by the present server 2, and the like.
The camouflage and transmission processes of the second camouflage data and the third camouflage data are the same as those of the first camouflage data, so that the camouflage and transmission processes of the second camouflage data and the third camouflage data are not repeated here.
Fig. 1 shows a quantum random number based encryption system. The encryption system comprises at least two clients 1, a server 2 and a quantum random number generator 3. The client 1 can act as a sender or receiver of information to be transmitted. The server 2 is capable of receiving the public key corresponding to the client 1 transmitted by the client 1, and transmitting the public key of the client 1 as a receiver of the information to be transmitted to the client 1 as a sender of the information to be transmitted. The quantum random number generator 3 is capable of sending a quantum random key corresponding to the information to be transmitted to the server 2.
The client 1 as the sender of the information to be transmitted encrypts the information to be transmitted using the quantum random key, and sends the data to be transmitted including the information to be transmitted to the client 1 as the receiver of the information to be transmitted, and the client 1 as the receiver of the information to be transmitted acquires the information to be transmitted through the quantum random key, so as to ensure secure communication between the clients 1.
The invention mainly relies on the quantum random number generator 3 to generate true random numbers. In the process of using the quantum random number/quantum random key, the client 1 of the user may have a situation that the quantum random number has been used and a new quantum random number is not timely distributed to the client 1. In order to ensure normal communication of the client 1, in the case that the client 1 has a quantum random number that has been used and a new quantum random number that has not been issued in time, the client 1 can generate a pseudo-random number by a soft algorithm to temporarily replace the quantum random number/quantum random key that has not been issued in time at the time.
Since the transmitting quantum random number/quantum random key itself only carries information of the random bit string originally prepared for encryption, even if the transmitting quantum random number/quantum random key has been stolen by a data eavesdropper, the data eavesdropper still cannot acquire the actual information to be transmitted (such as highly confidential information). The present invention does not directly send or receive information to be transmitted (such as highly confidential information), but rather sends or receives random bit strings/quantum random keys. Once the client 1 and/or the server 2 find that the transmission of the random bit string/quantum random key is disturbed, the client 1 and/or the server 2 can immediately interrupt the transmission of the information to be transmitted and discard the random bit string/quantum random key, thereby ensuring the security of the information to be transmitted.
The server 2 is capable of receiving the quantum random key in real time.
Each client 1 is able to send a public key corresponding to the client 1 to the server 2.
Preferably, the client 1, which is the sender of the information to be transmitted, is able to encrypt the quantum random key using the public key of the client 1, which is the receiver of the information to be transmitted.
Preferably, the client 1, which is the recipient of the information to be transmitted, is able to receive the information to be transmitted in real time.
Preferably, the client 1, which is the recipient of the information to be transmitted, decrypts the encrypted quantum random key using the public key to obtain the quantum random key. The above-mentioned public key comes from the client 1 as the sender of the information to be transmitted.
Preferably, the client 1 as the receiving side of the information to be transmitted decrypts the information to be transmitted encrypted by the quantum random key using the quantum random key to acquire the information to be transmitted.
For example, the main procedure of the client 1 as the sender of the information to be transmitted to the client 1 as the receiver of the information to be transmitted may be:
S1, after logging in through a client 1A, a user A uploads respective public keys (such as public keys of the client 1A and the client 1B) to a server 2 respectively, and the server 2 encrypts and stores the public keys after receiving the public keys (such as public keys of the client 1A and the client 1B);
S2, the server 2 sends the public key of the client 1B used by the friend B of the user A to the client 1A used by the user A, and the client 1A encrypts and stores the public key of the client 1B locally;
S3, the server 2 receives the quantum random key generated by the quantum random number generator 3 and stores the quantum random key to the server 2;
s4, the server 2 transmits the quantum random key to each client 1 through a bidirectional HTTPS transmission channel;
S5, the client 1 encrypts the information to be transmitted by using a quantum random key and adopting a symmetrical encryption mechanism, encrypts the quantum random key by using a public key of the client 1B, and then sends the data to be transmitted to a receiver (such as the client 1B);
And S6, after the client 1 (such as the client 1B) serving as a receiver of the data to be transmitted receives the data to be transmitted, the client 1 serving as the receiver decrypts the encrypted quantum random key by using the locally stored private key to acquire the quantum random key. Then, the client 1 as the receiving side decrypts the information to be transmitted encrypted by the quantum random key using the above-described quantum random key to acquire the information to be transmitted.
After the user logs in, public key information of the client 1 used by the user is uploaded to the server 2. The uploading process adopts an asymmetric encryption algorithm. The asymmetric encryption algorithm requires two keys to encrypt and decrypt. Wherein the two keys are a public key and a private key respectively. If the data is encrypted using a public key, the encrypted data can be decrypted only using a private key corresponding to the public key. In short, the client 1 can automatically generate the above-described public key and private key locally when the user logs in through the client 1.
The client 1, which is the sender of the information to be transmitted, needs to upload its generated public key to the server 2.
The private key is generated locally (namely, the client 1 which is the sender of the information to be transmitted) and stored locally, and the private key is not transmitted through the Internet, so that the absolute safety of the private key is ensured. After obtaining the public key, the server 2 encrypts and saves the public key to ensure the security of the public key.
When a user adds a friend of the user (e.g., the friend of the user uses the client 1B) through the client 1 (e.g., the client 1A), the server 2 forwards the public key of the client 1 used by the friend stored previously to the client 1 of the user. The client 1 of the current user encrypts and saves the public key of the buddy to the local (e.g., client 1A).
Through the setting mode, when the user communicates with friends of the user through the client 1A and the client 1B, the public key of the friends of the user does not need to be called to the server 2, so that the possibility of leakage of the public key is reduced, and even if the server 2 is attacked and data are leaked, an attacker can only obtain the encrypted secret key (such as the public key) and cannot decrypt the information/data, and finally the aim of ensuring absolute safety of information to be transmitted is achieved.
In addition, the server 2 sends the quantum random key to the client 1 over a bi-directional HTTPS channel. The HTTPS protocol is a network protocol which is constructed by SSL (Secure Sockets Layer secure sockets layer) and HTTP protocol and can carry out encrypted transmission and identity authentication. All communications made by the server 2 and the client 1 based on the HTTPS protocol described above are encrypted. In short, the client 1 first generates a symmetric key and exchanges the key through the credentials of the server 2, i.e. a handshake process in general, and then all information/data traffic is encrypted. Also HTTPS itself may prevent man-in-the-middle attacks because it is self-contained with CA (CERTIFICATE AUTHORITY certificate authority) certificates for verification. A certificate is a digitized file that establishes a relationship between a public key and some entity. It contains version information, serial number, certificate recipient name, issuer name, certificate validity period, public key, digital signature of CA and some other information. Certificates are issued by CAs. The CA can determine the validity period of the certificate. The certificate is signed by the CA. Each certificate has a unique serial number. The serial number of a certificate and the issuer of the certificate can determine the unique identity of a certificate. The unique identity of the certificate can help to confirm the identity of the server 2, so that the quantum random number and the information to be transmitted are finally ensured to be safe.
It should be noted that the above-described embodiments are exemplary, and that a person skilled in the art, in light of the present disclosure, may devise various solutions that fall within the scope of the present disclosure and fall within the scope of the present disclosure. It should be understood by those skilled in the art that the present description and drawings are illustrative and not limiting to the claims. The scope of the invention is defined by the claims and their equivalents. The description of the invention encompasses multiple inventive concepts, such as "preferably," "according to a preferred embodiment," or "optionally," all means that the corresponding paragraph discloses a separate concept, and that the applicant reserves the right to filed a divisional application according to each inventive concept.